SlideShare a Scribd company logo

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

V
Vladimir Bychkov

Slides for Tech Talk DC Meetup: Token-based security for web applications using OAuth2 and OpenID Connect by Vladimir Bychkov

Software
1 of 26
Download to read offline
TOKEN-BASED SECURITY FOR WEB APPLICATIONS USING OAUTH2 AND OPENID CONNECT Presented by Vladimir Bychkov Email: bychkov@gmail.com 1 Tech Talk DC 2019
About Vladimir Bychkov • SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ • EMAIL: BYCHKOV@GMAIL.COM WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
EastBanc Technologies | Custom Software Development Cutting Edge Software Development. Based in Georgetown. We are hiring! www.eastbanctech.com
Agenda • AUTHORIZATION FOR WEB APPLICATIONS • OAUTH 2.0 • OPENID CONNECT • DEMO AUTHORIZATION GRANTS (FLOWS) • FEDERATED GATEWAY PATTERN
Form-based authentication 5 Username Password Login Web server Set-Cookie: id=a3fWa; Secure; HttpOnly • Look up user • Hash+verify password • Look up authZ info • Create session
Modern Application Landscape 6 Browser Mobile Server App Web App Web Service Web Service Web Service Enterprise IdP Social IdP
Delegated Authorization 7 https + cookie Web Client Client Frontend Browser Client Backend User Web Backend Bank https + cookie Banking Client Browser Transactions Username Password Enter PenFed login • 3rd party has to store password • No way to limit scope • Cannot revoke access (other than changing password)
OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION • PUBLISHED AS IETF RFC6749 IN OCTOBER 2012 • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER => USER (HUMAN) • CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE) • AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS) • RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES • AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION • SCOPE => LEVEL OF ACCESS • CONSENT => USER’S PERMISSION TO GRANT ACCESS • ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN • ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
OAuth 2.0 - Protocol Flow 10
OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token Grant (Credentials) Token
OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Authorization code w/ PKCE Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USER-INFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
JWT – JSON Web Token 14
OpenID Connect Protocol Suite
DEMO – Client Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic Y2xpZW50OnNlY3JldA== grant_type=client_credentials&scope=api1 1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 2 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 3 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 4
DEMO – Resource Owner Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic cm8uY2xpZW50OnNlY3JldA== grant_type=password&username=alice &password=password&scope=api1 2 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 3 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 4 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 5 1 Username Password
DEMO – Authorization Code Flow https://docs.pivotal.io GET /Home/Secure 1 HTTP/1.1 302 Found Location: http://localhost:5000/connect/authorize? client_id=mvc &redirect_uri=http//localhost:5002/signin-oidc &response_type=code id_token &scope=openid profile api1 offline_access &response_mode=form_post … 2 GET /connect/authorize?client_id=mvc&… 3 302 /account/login… 302 /account/consent… HTTP/1.1 200 OK … <form method='post' action='http://localhost:5002/signin-oidc’> <input type='hidden' name='code’ value=‘deba7f4c87….’ /> … <script>(function(){document.forms[0].submit();})();</script> 4 POST http://localhost:5000/connect/token client_id=mvc&client_secret=secret &code=deba7f4c87…&grant_type=authorization_code 5 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {“id_token”=…, "access_token":"eyJhbGciO…” 6 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 7 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 8
DEMO – Implicit Flow https://docs.pivotal.io
Authorization Code Interception Attack 20
RFC7636 - Proof Key for Code Exchange (PKCE) 21
Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
Auth Middleware Federation gateway (Before impl) ASP.NET Core Internet Google Facebook … Azure AD Google Facebook … Azure AD Web Application
STS Federation gateway (After impl) Internet Google Facebook … Azure AD Google Facebook … Azure AD Internet Auth MiddlewareASP.NET Core Web Application STS Auth MiddlewareASP.NET Core Web Application STS
THANK YOU VLADIMIR BYCHKOV SOFTWARE CRAFTSMAN BYCHKOV@GMAIL.COM

Recommended

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
Vladimir Bychkov
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 

Recommended

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
Vladimir Bychkov
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
JWT SSO Inbound Authenticator
JWT SSO Inbound AuthenticatorJWT SSO Inbound Authenticator
JWT SSO Inbound Authenticator
MifrazMurthaja
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
Richard Metzler
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
FITC
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
Profesia Srl, Lynx Group
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
Micron Technology
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
Jon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
Giulio De Donato
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
Miguel García González
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Worteks
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
Prabath Siriwardena
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 

More Related Content

What's hot

Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 

What's hot (20)

Authentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN StackAuthentication and Authorization Architecture in the MEAN Stack
Authentication and Authorization Architecture in the MEAN Stack
 
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
#5 WSO2 Masterclassitalia - WSO2 Identity Server, un approccio OAUTH2
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
FIWARE ID Management
FIWARE ID ManagementFIWARE ID Management
FIWARE ID Management
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 

Similar to 2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Aaron Parecki
 

Similar to 2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect (20)

Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net core
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Introduction to the Globus Platform for Developers
Introduction to the Globus Platform for DevelopersIntroduction to the Globus Platform for Developers
Introduction to the Globus Platform for Developers
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
 
OAuth2 para desarrolladores
OAuth2 para desarrolladoresOAuth2 para desarrolladores
OAuth2 para desarrolladores
 
Api security
Api security Api security
Api security
 

Recently uploaded

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 

Recently uploaded (20)

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 

2019 - Tech Talk DC - Token-based security for web applications using OAuth2 and OpenID Connect

  • 1. TOKEN-BASED SECURITY FOR WEB APPLICATIONS USING OAUTH2 AND OPENID CONNECT Presented by Vladimir Bychkov Email: bychkov@gmail.com 1 Tech Talk DC 2019
  • 2. About Vladimir Bychkov • SOFTWARE CRAFTSMAN AT EASTBANC TECHNOLOGIES • LINKEDIN: WWW.LINKEDIN.COM/IN/BYCHKOFF/ • EMAIL: BYCHKOV@GMAIL.COM WEBSITE: EASTBANCTECH.COM WEBSITE: WWW.KUBLR.COM
  • 3. EastBanc Technologies | Custom Software Development Cutting Edge Software Development. Based in Georgetown. We are hiring! www.eastbanctech.com
  • 4. Agenda • AUTHORIZATION FOR WEB APPLICATIONS • OAUTH 2.0 • OPENID CONNECT • DEMO AUTHORIZATION GRANTS (FLOWS) • FEDERATED GATEWAY PATTERN
  • 5. Form-based authentication 5 Username Password Login Web server Set-Cookie: id=a3fWa; Secure; HttpOnly • Look up user • Hash+verify password • Look up authZ info • Create session
  • 6. Modern Application Landscape 6 Browser Mobile Server App Web App Web Service Web Service Web Service Enterprise IdP Social IdP
  • 7. Delegated Authorization 7 https + cookie Web Client Client Frontend Browser Client Backend User Web Backend Bank https + cookie Banking Client Browser Transactions Username Password Enter PenFed login • 3rd party has to store password • No way to limit scope • Cannot revoke access (other than changing password)
  • 8. OAuth 2.0 - Overview • OAUTH 2.0 IS THE INDUSTRY-STANDARD PROTOCOL FOR DELEGATED AUTHORIZATION • PUBLISHED AS IETF RFC6749 IN OCTOBER 2012 • INITIAL PURPOSE – GIVE 3RD PARTY SOFTWARE ACCESS ON USER’S BEHALF • LINGO: • RESOURCE OWNER => USER (HUMAN) • CLIENT => 3RD PARTY SOFTWARE (APP/SERVICE) • AUTHORIZATION SERVER => WEB SERVICE (VERIFIES IDENTITY AND ISSUES TOKENS) • RESOURCE SERVER => WEB SERVICE/API HOSTING PROTECTED RESOURCES • AUTHORIZATION GRANT (FLOW) => STANDARD PROCESS TO OBTAIN USER’S AUTHORIZATION • SCOPE => LEVEL OF ACCESS • CONSENT => USER’S PERMISSION TO GRANT ACCESS • ACESS CODE => TEMP CODE TO OBTAIN ACCESS TOKEN • ACCESS TOKEN => TEMP AND SCOPED CREDENTIALS TO ACCESS USER’S RESOURCES
  • 9. OAuth 2.0 – Endpoints (SSL required) • AUTHORIZATION ENDPOINT • USED TO INTERACT WITH THE RESOURCE OWNER AND OBTAIN AN AUTHORIZATION GRANT. THE AUTHORIZATION SERVER MUST FIRST VERIFY THE IDENTITY OF THE RESOURCE OWNER. • TOKEN ENDPOINT • USED BY THE CLIENT TO OBTAIN AN ACCESS TOKEN BY PRESENTING ITS AUTHORIZATION GRANT OR REFRESH TOKEN. • REDIRECTION ENDPOINT (CLIENT)
  • 10. OAuth 2.0 - Protocol Flow 10
  • 11. OAuth 2.0 - Architecture Resource owner (User) Client (Relying Party - RP) Resource server (Resources) Authorization server (Security Token Service – STS) Token Grant (Credentials) Token
  • 12. OAuth 2.0 - Grants Grant type Client type / Use case Client Credentials For clients, such as web services, acting on their own behalf. Authorization code w/ PKCE Intended for traditional web applications with a backend as well as native (mobile or desktop) applications to take advantage of single sign-on via the system browser. Resource Owner Password For trusted native clients where the application and the authorization server belong to the same provider. Implicit Intended for browser-based (JavaScript) applications without a backend. Refresh token A special grant to let clients refresh their access token without having to go through the steps of a code or password grant again. Device code For devices without a browser or with constrained input, such as a smart TV, media console, printer, etc. Token exchange Lets applications and services obtain an access token in delegation and impersonation scenarios.
  • 13. OpenID Connect • ID TOKEN (JWT) • DISCOVERY ENDPOINT • USER-INFO ENDPOINT (JSON SCHEMA) • USES OAUTH 2 FLOWS TO OBTAIN ID TOKENS
  • 14. JWT – JSON Web Token 14
  • 16. DEMO – Client Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic Y2xpZW50OnNlY3JldA== grant_type=client_credentials&scope=api1 1 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 2 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 3 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 4
  • 17. DEMO – Resource Owner Credentials Flow https://docs.pivotal.io POST http://localhost:5000/connect/token Authorization: Basic cm8uY2xpZW50OnNlY3JldA== grant_type=password&username=alice &password=password&scope=api1 2 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {"access_token":"eyJhbGciO… 3 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 4 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 5 1 Username Password
  • 18. DEMO – Authorization Code Flow https://docs.pivotal.io GET /Home/Secure 1 HTTP/1.1 302 Found Location: http://localhost:5000/connect/authorize? client_id=mvc &redirect_uri=http//localhost:5002/signin-oidc &response_type=code id_token &scope=openid profile api1 offline_access &response_mode=form_post … 2 GET /connect/authorize?client_id=mvc&… 3 302 /account/login… 302 /account/consent… HTTP/1.1 200 OK … <form method='post' action='http://localhost:5002/signin-oidc’> <input type='hidden' name='code’ value=‘deba7f4c87….’ /> … <script>(function(){document.forms[0].submit();})();</script> 4 POST http://localhost:5000/connect/token client_id=mvc&client_secret=secret &code=deba7f4c87…&grant_type=authorization_code 5 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … {“id_token”=…, "access_token":"eyJhbGciO…” 6 GET http://localhost:5001/identity Authorization: Bearer eyJhbGciO… 7 HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 … [{"type":"nbf","value":"1531258758"}, … 8
  • 19. DEMO – Implicit Flow https://docs.pivotal.io
  • 21. RFC7636 - Proof Key for Code Exchange (PKCE) 21
  • 22. Web Apps – Other security concerns • HTTPS ALL THE WAY! • CROSS-SITE REQUEST FORGERY (CSRF) • ASP.NET CORE 2+ INJECTS ANTIFORGERY TOKENS AUTOMATICALLY WHEN USING TAG HELPERS • BUILT-IN ACTION FILTERS: • VALIDATEANTIFORGERYTOKEN • AUTOVALIDATEANTIFORGERYTOKEN • IGNOREANTIFORGERYTOKEN • CROSS-SITE SCRIPTING (XSS) • VALIDATE USER INPUT (FORMS, QUERY STRING, HTTP HEADERS) • HTML/URL ENCODING
  • 23. Web Apps – Other security concerns (cont.) • CROSS-ORIGIN REQUESTS (CORS) • ENABLE CORS AND SET EXPLICIT POLICIES • SECRET/KEY MANAGEMENT AND DATA PROTECTION • OPEN REDIRECTS
  • 24. Auth Middleware Federation gateway (Before impl) ASP.NET Core Internet Google Facebook … Azure AD Google Facebook … Azure AD Web Application
  • 25. STS Federation gateway (After impl) Internet Google Facebook … Azure AD Google Facebook … Azure AD Internet Auth MiddlewareASP.NET Core Web Application STS Auth MiddlewareASP.NET Core Web Application STS
  • 26. THANK YOU VLADIMIR BYCHKOV SOFTWARE CRAFTSMAN BYCHKOV@GMAIL.COM